Forum Discussion

m_balcarek's avatar
m_balcarek
Copper Contributor
Mar 11, 2022

Search-UnifiedAuditLog inconsistent results

Hello, I use a PowerShell script to retrieve audit log entries we are interested in from the previous day.

We grab chunks of 5000 records until we get all the rows from the previous calendar day.

We are finding that if we run the Search-UnifiedAuditLog at 3AM on 3/9, for the previous day

 

$StartDate = (Get-Date).Date.AddDays(-1)
$EndDate = (Get-Date).Date  # start of next day

 

that we get different results compared to running a day later for the same date range.

$StartDate = (Get-Date).Date.AddDays(-2)
$EndDate = (Get-Date).Date.AddDays(-1)

 

Is there some sort of settle period before all the rows are available in the audit log?

 

 

 

$StartDate = (Get-Date).Date.AddDays(-1)
$EndDate = (Get-Date).Date  # start of next day

    do {
        $Ctr++
        $UnfilteredPartialAuditResults = @()
        Write-Log "INFO" $("    Starting Audit Log Search with start date:" + $StartDate.ToString("G") + " end date:"  + $EndDate.ToString("G") ) $primaryLogFile

        $SharePointLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType SharePointFileOperation `
            -Operations "AccessRequestAccepted", "FileAccessed", "FileDownloaded","FileUploaded","FileDeleted", "FileModified" -ResultSize $BatchSize -SessionCommand ReturnNextPreviewPage

        if ($SharePointLog.AuditData) {
            $UnfilteredPartialAuditResults = $SharePointLog.AuditData | ConvertFrom-Json | Select-Object CreationTime, UserId, Operation, ObjectID, SiteUrl, SourceFileName, ClientIP    
            $UnfilteredAuditResults += $UnfilteredPartialAuditResults
            Write-Log "INFO" $("    Retrieved " + $UnfilteredAuditResults.Count + " items.") $primaryLogFile
        }

        if ($UnfilteredAuditResults.Count -gt 0 -and $UnfilteredPartialAuditResults.Count -gt 0) {
            # set the end date to the last datetime retrieved
            $LastCreationDateTime = $UnfilteredAuditResults[$UnfilteredAuditResults.Count-1] | Select-Object CreationTime
            $LastEndDate = Get-Date $LastCreationDateTime.CreationTime

            # $LastEndDate = $LastEndDate.AddSeconds(-1)
            $EndDate = $LastEndDate #.ToUniversalTime()
        }
    } until ($UnfilteredPartialAuditResults.Count -lt $BatchSize -or ($Ctr -ge $AllowedLoops -and $AllowedLoops -ne -1))

 

 

 

No RepliesBe the first to reply